hosed cookie handling

Dirk Mueller mueller at kde.org
Sat Dec 21 09:15:59 GMT 2002 

Hi, 

below a patch to make cookies work again in Konqueror. 

I still don't think implementing the broken netscape spec is a good idea 
(its not even implemented by IE, which means something!), because it 
introdues a less strict cookie checking than all other browsers, including 
those which are vulnerable to cookie stealing attacks (IE). And I'm sick 
of doing another security update just because we introduce such a 
compatibility hack that no other browser does AFAIK. 

The patch corrects various errors in the matching code introduced by the 
last commit and gives it at least somewhat IE - compatible mode with 
mProtocolVersion == 0 (no idea what that means). The old cookie spec says 
that the file extension doesn't matter, not more. so the path still has to 
end with "." (actually it should check for the last . in the filename but I 
guess that doesn't matter much). 

In addition, at least mailman registered the cookie with path == 
"/mailman/", so the path check had an off-by-one. I'm not sure if other 
sites do it differently, I guess we have to add some path normalisation in a 
sane place to catch the "trailing slash" problem. 


BTW, I've also seen the broken "TLD" check in ::extractDomains. It for 
example does not handle .name domains correctly, which have i.e. 
"dirk.mueller.name" as toplevel domain, not "mueller.name". No patch for 
that yet as I didn't fully grasp the code. 

Please review. 



-- 
Dirk (received 80 mails today)
-------------- next part --------------
Index: kcookiejar.cpp
===================================================================
RCS file: /home/kde/kdelibs/kioslave/http/kcookiejar/kcookiejar.cpp,v
retrieving revision 1.90
diff -u -5 -d -p -b -r1.90 kcookiejar.cpp
--- kcookiejar.cpp	16 Dec 2002 13:27:25 -0000	1.90
+++ kcookiejar.cpp	21 Dec 2002 09:15:54 -0000
@@ -182,18 +182,20 @@ bool KHttpCookie::match(const QString &f
           if ( fqdn != mDomain )
             return false;
     }
 
     // Cookie path match check
-    if (path.isEmpty())
+    if (mPath.isEmpty())
         return true;
 
     // According to the netscape spec both http://www.acme.com/foobar and
     // http://www.acme.com/foo/bar match http://www.acme.com/foo
     // According to RFC2109 only http://www.acme.com/foo/bar matches
     if( path.startsWith(mPath) &&
-        ((mProtocolVersion == 0) || (path == mPath) || (path[mPath.length()] == '/')) )
+        ( path.length() == mPath.length() ||
+          (mProtocolVersion == 0 && path[mPath.length()] == '.') ||
+          (mProtocolVersion >0 && path[mPath.length()-1] == '/')) )
         return true; // Path of URL starts with cookie-path
 
     return false;
 }

More information about the kfm-devel mailing list